Bryan Cave Combines with Berwin Leighton Paisner to Form Bryan Cave Leighton Paisner LLP Learn More

GDPR’s Most Frequently Asked Questions: Does a Company’s Reason for Processing Information Impact Whether It Must Allow Someone to Access It?

May 18, 2018

The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR, and concerning related data privacy laws in the European Union.

Question: Does a company’s reason for processing information impact whether it must honor a right of access?

Answer: No. 

The GDPR recognizes six situations in which a company may process personal data.  As the following chart illustrates some individual rights – such as the right to be forgotten – are dependent upon which permissible purpose a company relies upon.  Other individual rights – such as the right to access personal information – are not.  

Permissible Purpose

Right to be forgotten

Right to Access data

Right to data portability

Right to rectification

Right to object to processing

Consent
(i.e., Article 6(1)(a))

Y

Y

Y1

Y

Y2

Contract
(i.e., Article 6(1)(b))

X

Y

Y3

Y

X

Compliance with legal obligation

(i.e., Article 6(1)(c))

X

Y

X

Y

X

Protecting vital interest of data subject (i.e., Article 6(1)(d))

X

Y

X

Y

X

Public interest

(i.e., Article 6(1)(e))

 X4  Y  X  Y  Y
 

Legitimate interest of controller

(i.e., Article 6(1)(f))
 Y5  Y  X  Y  Y

  


1. Note that processing must also be carried out by automated means in order for right to apply.  GDPR, Article 20(1)(b).

2. Although an individual does not have a right to object pursuant to GDPR Article 21, they do have a right to withdraw consent pursuant to GDPR Article 7(3).

3. Note that processing must also be carried out by automated means in order for right to apply.  GDPR, Article 20(1)(b).

4. When a request is made the controller is required to determine whether there is an overriding legitimate grounds for processing.

5. When a request is made the controller is required to determine whether there is an overriding legitimate grounds for processing.